Solved: Hi ,Share me your ASA config.

Andy Golden · ‎07-09-2014

I'm seeking the advice of some experts here. I've got a new Cisco ASA 5505 with the Security+ license, and Cisco L2 switch.

I've got 10 VLANs, and want to assign an individual public IP addresses to each VLAN's subnet. The point is --- each of the 10 VLAN's represents a different client office in my building, and each client may run similar services, want port forwarding, and whatnot

I've not been able to figure out how to make it work. I'm familiar with 1:1 NAT, but not a scenario where whatismyip.com shows a different IP depending on which VLAN I'm on. I'll end up port forwarding stuff for each client in the future, like RDP, etc.

The ASA is running version 9.2. Anyone able to spot a mistake in my config?

Here's a piece of my config, which some part of it is incorrect and not working:

nterface Vlan1

nameif management

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 69.67.62.66 255.255.255.248

!

interface Vlan110

nameif sub110

security-level 100

ip address 192.168.11.1 255.255.255.0

I created an object for the second static

object network ispstatic2

host 69.67.62.67

Some objects:

object network ispstatic2

host 69.67.62.67

object network sub110route

subnet 192.168.11.0 255.255.255.0

And the route that doesn't appear to work:

object network obj_any

nat (management,outside) dynamic interface

object network sub110route

nat (any,any) dynamic ispstatic2

route outside 0.0.0.0 0.0.0.0 69.67.62.65 1

route sub110 192.168.11.0 255.255.255.0 69.67.62.67 1

SANTHOSHKUMAR SARAVANAN · ‎07-10-2014

Hi,

Have you applied the commands , Share me following output

1) show route

2) ping 4.2.2.2 from your ASA

Apply below commands

ip verify reverse-path interface outside

ip verify reverse-path interface sub110

if you see issue open webex session if you have any

HTH

Sandy

View solution in original post

SANTHOSHKUMAR SARAVANAN · ‎07-09-2014

Hi ,

Update your config as below

object network ispstatic2

host 69.67.62.67

object network sub110route

subnet 192.168.11.0 255.255.255.0

nat (sub110,outside) dynamic ispstatic2

likewise you can repeat for other VLAN . Your outside interface subnet range can accommodate only 4 Public IP address for PAT including your interface IP address .

remove below config

no route sub110 192.168.11.0 255.255.255.0 69.67.62.67 1

no nat (any,any) dynamic ispstatic2

HTH

Sandy

Andy Golden · ‎07-10-2014

I've updated my config as you've suggested, and VLAN 110 on 192.168.11.0 still does not appear to have any internet acesss. I can't ping out, or ping the "ispstatic2" address, or the ISP gateway address.

Any other suggestions?

SANTHOSHKUMAR SARAVANAN · ‎07-10-2014

Hi ,

Share me your ASA config.

HTH

Sandy

Andy Golden · ‎07-10-2014

ASA Version 9.2(1)
!
hostname sdbciscoasa
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport trunk allowed vlan 1-2,110,120,130,140,150,160,170,180,190,200,210,220,230,240,250,260,270,280
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 69.67.62.66 255.255.255.248
!
interface Vlan110
description careco
nameif sub110
security-level 100
ip address 192.168.11.1 255.255.255.0
!
interface Vlan120
nameif sub120
security-level 100
ip address 192.168.12.1 255.255.255.0
!
interface Vlan130
nameif sub130
security-level 100
ip address 192.168.13.1 255.255.255.0
!
interface Vlan140
nameif sub140
security-level 100
ip address 192.168.14.1 255.255.255.0
!
interface Vlan150
nameif sub150
security-level 100
ip address 192.168.15.1 255.255.255.0
!
interface Vlan160
nameif sub160
security-level 100
ip address 192.168.16.1 255.255.255.0
!
interface Vlan170
nameif sub170
security-level 100
ip address 192.168.17.1 255.255.255.0
!
interface Vlan180
nameif sub180
security-level 100
ip address 192.168.18.1 255.255.255.0
!
interface Vlan190
nameif sub190
security-level 100
ip address 192.168.19.1 255.255.255.0
!
interface Vlan200
nameif sub200
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan210
nameif sub210
security-level 100
ip address 192.168.21.1 255.255.255.0
!
interface Vlan220
nameif sub220
security-level 100
ip address 192.168.22.1 255.255.255.0
!
interface Vlan230
nameif sub230
security-level 100
ip address 192.168.23.1 255.255.255.0
!
interface Vlan240
nameif sub240
security-level 100
ip address 192.168.24.1 255.255.255.0
!
interface Vlan250
nameif sub250
security-level 100
ip address 192.168.25.1 255.255.255.0
!
interface Vlan260
nameif sub260
security-level 100
ip address 192.168.26.1 255.255.255.0
!
interface Vlan270
nameif sub270
security-level 100
ip address 192.168.27.1 255.255.255.0
!
interface Vlan280
nameif sub280
security-level 100
ip address 192.168.28.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ispstatic2
host 69.67.62.67
object network ispstatic3
host 69.67.62.68
object network isstatic4
host 69.67.62.69
object network harborstatic5
host 69.67.62.70
object network sub110route
subnet 192.168.11.0 255.255.255.0
pager lines 24
logging asdm informational
mtu management 1500
mtu outside 1500
mtu sub110 1500
mtu sub120 1500
mtu sub130 1500
mtu sub140 1500
mtu sub150 1500
mtu sub160 1500
mtu sub170 1500
mtu sub180 1500
mtu sub190 1500
mtu sub200 1500
mtu sub210 1500
mtu sub220 1500
mtu sub230 1500
mtu sub240 1500
mtu sub250 1500
mtu sub260 1500
mtu sub270 1500
mtu sub280 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (management,outside) dynamic interface
object network sub110route
nat (sub110,outside) dynamic ispstatic2
route outside 0.0.0.0 0.0.0.0 69.67.62.65 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.10.50-192.168.10.200 management
dhcpd enable management
!
dhcpd address 192.168.11.50-192.168.11.100 sub110
dhcpd enable sub110
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

SANTHOSHKUMAR SARAVANAN · ‎07-10-2014

Hi ,

Run packet trace command and share me the output , similalry ping to internet destination 4.2.2.2 from your ASA to connect internet is reachable

paste me the ouput of below command

packet-tracer input sub110 tcp 192.168.11.1 5000 4.2.2.2 80

HTH

Sandy

Andy Golden · ‎07-10-2014

sdbciscoasa# packet-tracer input sub110 tcp 192.168.11.1 5000 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 69.67.62.65, outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: sub110
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

SANTHOSHKUMAR SARAVANAN · ‎07-10-2014

Hi ,

configure below commands , test again .

ip verify reverse-path interface sub110

access-list sub110_out extended permit ip 192.168.11.0 255.255.255.0 any

access-group sub110_out in interface sub110

Run packet trace command again and share me the output .

HTH
Sandy

Andy Golden · ‎07-10-2014

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 69.67.62.65, outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.11.1 255.255.255.255 identity

Result:
input-interface: sub110
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

SANTHOSHKUMAR SARAVANAN · ‎07-10-2014

Hi,

Have you applied the commands , Share me following output

1) show route

2) ping 4.2.2.2 from your ASA

Apply below commands

ip verify reverse-path interface outside

ip verify reverse-path interface sub110

if you see issue open webex session if you have any

HTH

Sandy

Andy Golden · ‎07-10-2014

I have applied the commands.

Here's the show route:

Gateway of last resort is 69.67.62.65 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 69.67.62.65, outside
C        69.67.62.64 255.255.255.248 is directly connected, outside
L        69.67.62.66 255.255.255.255 is directly connected, outside
C        192.168.10.0 255.255.255.0 is directly connected, management
L        192.168.10.1 255.255.255.255 is directly connected, management
C        192.168.11.0 255.255.255.0 is directly connected, sub110
L        192.168.11.1 255.255.255.255 is directly connected, sub110
C        192.168.12.0 255.255.255.0 is directly connected, sub120
L        192.168.12.1 255.255.255.255 is directly connected, sub120
C        192.168.13.0 255.255.255.0 is directly connected, sub130
L        192.168.13.1 255.255.255.255 is directly connected, sub130
C        192.168.14.0 255.255.255.0 is directly connected, sub140
L        192.168.14.1 255.255.255.255 is directly connected, sub140
C        192.168.15.0 255.255.255.0 is directly connected, sub150
L        192.168.15.1 255.255.255.255 is directly connected, sub150
C        192.168.16.0 255.255.255.0 is directly connected, sub160
L        192.168.16.1 255.255.255.255 is directly connected, sub160
C        192.168.17.0 255.255.255.0 is directly connected, sub170
L        192.168.17.1 255.255.255.255 is directly connected, sub170
C        192.168.18.0 255.255.255.0 is directly connected, sub180
L        192.168.18.1 255.255.255.255 is directly connected, sub180
C        192.168.19.0 255.255.255.0 is directly connected, sub190
L        192.168.19.1 255.255.255.255 is directly connected, sub190
C        192.168.20.0 255.255.255.0 is directly connected, sub200
L        192.168.20.1 255.255.255.255 is directly connected, sub200
C        192.168.21.0 255.255.255.0 is directly connected, sub210
L        192.168.21.1 255.255.255.255 is directly connected, sub210
C        192.168.22.0 255.255.255.0 is directly connected, sub220
L        192.168.22.1 255.255.255.255 is directly connected, sub220
C        192.168.23.0 255.255.255.0 is directly connected, sub230
L        192.168.23.1 255.255.255.255 is directly connected, sub230
C        192.168.24.0 255.255.255.0 is directly connected, sub240
L        192.168.24.1 255.255.255.255 is directly connected, sub240
C        192.168.25.0 255.255.255.0 is directly connected, sub250
L        192.168.25.1 255.255.255.255 is directly connected, sub250
C        192.168.26.0 255.255.255.0 is directly connected, sub260
L        192.168.26.1 255.255.255.255 is directly connected, sub260
C        192.168.27.0 255.255.255.0 is directly connected, sub270
L        192.168.27.1 255.255.255.255 is directly connected, sub270
C        192.168.28.0 255.255.255.0 is directly connected, sub280
L        192.168.28.1 255.255.255.255 is directly connected, sub280

I can successfully ping from the console:

sdbciscoasa# ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms
sdbciscoasa#

Here's the most recent trace:

sdbciscoasa# packet-tracer input sub110 tcp 192.168.11.1 5000 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 69.67.62.65, outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.11.1 255.255.255.255 identity

Result:
input-interface: sub110
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (rpf-violated) Reverse-path verify failed

SANTHOSHKUMAR SARAVANAN · ‎07-10-2014

1) From You ASA are you able to ping to Host IP address on network segment 192.168.11.1 255.255.255.0 ??

Hopefully it should work now . after you added your dns server IP address to your end host

HTH

Sandy

Andy Golden · ‎07-10-2014

I've sent you an e-mail to your profile address for the remote session. Not sure if that's the best way to reach you or not. I can ping the host address of vlan 1 externally.

Cisco ASA 5505, NAT separate public IPs to VLANs?